Q&A: Mobile Forensics Expert Discusses Highlights of Digital Work

Digital and mobile forensics expert Heather Mahalik spoke with Forensic Magazine last week about the highlights of her career and the evolution of the field over the years.

Heather Mahalik is a digital and mobile forensics expert who has worked in the field for over 14 years, including at the U.S. State Department Computer Investigations and Forensics Lab and in e-discovery at Stroz Friedberg and Basis Technology. Over her career she has worked on cases ranging from civil disputes, to child exploitation, to terrorism, including work on the media of one of the world’s most infamous terrorists, Osama bin Laden.

She is currently the director of forensic engineering at ManTech CARD and a senior instructor at SANS Institute, where she teaches a class on advanced smartphone forensics. Last week, Mahalik spoke with Forensic Magazine about her career, changes in digital forensics over the years, and her passion for following the newest developments in the ever-changing digital realm, which she writes about on her blog, Smarter Forensics.

Q: How did you first get into digital forensics?

A: I put myself into the category of being lucky and being in the right place at the right time. My undergrad was more of the crime scene investigation—bloodstain pattern analysis. So nothing to do with computers at all.

I was in the Air Force at the time and I could not get a job, and one day on the way to a drill weekend I met someone, and he was like ‘Hey, would you consider digital forensics?’ At that point I would consider anything. I honestly thought it would just be a stepping stone to get a job, and from there the interview went well, and everything took off.

Q: How did working in digital forensics differ from your earlier crime scene experience?

A: (Physical crime scene investigation) is more standard. I feel like you learn a skill, and then you apply it all the time. You don’t have to continuously learn like you do in digital forensics. Obviously if new DNA technology comes out you would, but how you work a crime scene is how you work a crime scene. This is not the case with digital forensics where a new operating system comes out, or a new device, or encryption, and we’re always chasing the new stuff, which is released daily. There’s a more consistent approach to that side of physical forensics, versus digital forensics.

Q: What types of cases have you worked on throughout your career?

A: At State Department I worked a lot of child exploitation, visa fraud and passport fraud, which just kinds of wears you down, with the child exploitation-type cases. But obviously they matter, because most people don’t want that type of thing on the street.

From there, I left and I did eDiscovery work; I worked everything from divorce cases, high profile Capitol Hill cases to someone suing another company for corporate rights.

Then I started doing more of the DoD (Department of Defense) type work, and that’s when I worked on Osama bin Laden’s media. That was nice because it’s something we were chasing for years, and to finally have it (…) is pretty amazing.

Q: What specific media were you working with on the bin Laden case?

A: It was actually the phones. My team and I worked on several cellphones, and we were able to recover data that other people weren’t able to, and then we shared it.

Q: How did you get into working with mobile forensics specifically, and what do you enjoy about it?

A: Back in 2008 I was approached about running a mobile device team. I really wasn’t keen on it because back then, it’s only been 10 years ago but phones were not like they are today. Not everybody had one, people had a lot of the flip phones, and the iPhone was just released, so I thought I would be hurting my career by taking that position. I thought I would take it for just a year or so, and then cellphones boomed.

What I like about it so much is it changes several times a year. Every September, a new version of iPhone is released and Apple makes changes. I try to chase the changes, and blog about it, and include it in my course. Then with all the Android releases—same thing.

It’s not as set as Windows forensics or Mac forensics, where there aren’t major updates that occur frequently. I still do that type of work as well. It’s just not something that I’m constantly chasing. I guess I’m just eager to keep learning, and the answer to that is mobile, because it changes every day. Look at all the third party apps and encryption, and acquisition methods, and mobile device management. It’s good and bad.

Q: How have you seen the realm of digital forensics evolve? What has changed over the years?

A: Encryption is a big thing. It doesn’t necessarily keep us out—it just makes our jobs a little bit more difficult.

Another thing too is third party apps. And this is good and bad depending on how you look at it. It’s good for us, because a lot of people believe that a self-destructing app really does get rid of everything. But when we see it from the forensic side, and everything’s there, it’s bad for the user, great for us as examiners.

And I feel like in the last 14 years, the things that people used to only do on one computer, they’re now doing everywhere. They’ll look at something on their iPad, then they’ll look at it on their phone, and then they log into their computer. What they don’t realize is that data is syncing across all those devices. So when they delete it from one, it still exists everywhere, and then the chance of us getting it from cloud is good too. It’s really hard for users to completely clear their history or get rid of all the stuff they were doing.

Q: What cases that you’ve worked have been the most important to you?

A: Child exploitation cases that I worked, just because we would get bad people out of the workplace, and off the streets.

Other than that, obviously the terrorism cases are also equally important, because we can stop terrorism in advance proactively, by seeing who they’re talking to, who they’re communicating to, trying to catch some of recruitment that’s occurring. Obviously, that also keeps everyone a little bit safer.

Q: What is the main message you want to send your digital forensics students and others starting out in the field?

A: To not trust what the tool tells them, evidence-wise. Because this can make someone who is innocent look guilty. How the data is saved on a phone, with all the suggestions, and all this thinking that your phone does for you, you need to put the user behind that device versus just assume that somebody did it because the tool said they did. There are so many discrepancies, and this is true across even hard-drive forensics, for traditional PC or Mac forensics.

Q: What is your perspective on being a woman in a male-dominated field like digital forensics?

A: My big thing is, I just want to be treated equally like everyone. I don’t want to be just a great female—I want to be great in forensics.

Disable Cookies per browser:

Note: If you are using a browser that is not listed here, please do a quick internet search on how to block cookies and tracking for your specific browser.

This website uses cookies to ensure you get the best user experience. If you agree to accept these cookies, confirm by clicking the "Ok, I Agree" button. For instructions on how to block cookies from this site, please click the "Give Me More Info" button.